Firewall block all rules



  • hello my rules are:

    
    	  	Proto 	Source 	Port 	Destination 	Port 	Gateway 	Schedule 	Description 	
    
           * 	* 	* 	* 	* 	* 	  	Block WAN ALL  	
    TCP/UDP 	* 	* 	* 	6666 	* 	  	OpenVPN  	
    TCP/UDP 	* 	* 	* 	3333 	* 	  	NAT Squid Port Forward  	
    TCP/UDP 	* 	* 	* 	110 	* 	  	Allow WAN POP  	
    TCP/UDP 	* 	* 	* 	995 	* 	  	Allow WAN POP SSL  	
    TCP/UDP 	* 	* 	* 	143	    * 	  	Allow WAN IMAP  	
    TCP/UDP 	* 	* 	* 	993  	* 	  	Allow WAN IMAP SSL  	
    TCP/UDP 	* 	* 	* 	25  	* 	  	Allow WAN SMTP  	
    TCP/UDP 	* 	* 	* 	465  	* 	  	Allow WAN SMTP SSL  	
    TCP/UDP 	* 	* 	* 	587 	* 	  	Allow WAN SMTP TLS  	
    TCP/UDP 	* 	* 	* 	21	* 	  	Allow WAN FTP  	
    UDP       * 	* 	* 	123  	* 	  	Allow WAN NTP  	
    ICMP     	* 	* 	* 	* 	* 	  	Allow Ping  	
    TCP       * 	* 	* 	4804 	* 	  	Allow BunkerTV Radio  	
    TCP/UDP 	192.168.10.25 	* 	* 	* 	* 	  	Allow Only Lafoffice01  	
    
    

    why blocked me the firewall?
    i am client 192.168.10.25

    thanks for help!



  • Are thees rules are under Firewall->Rules->WAN tab?

    I have similar problem. I want block all traffic from wan and just allow some things. In my case I think there is problem with (Block private networks and Block bogon networks) checkboxes under Interfaces->Wan tab!



  • yes i agree with your last point, but i have disable this point of blocking! (disabled: block bogon networks)

    my first block rule = block all

    and the last should agree me in, but all is block …. why?

    i have this rule for LAN and WAN
    first block any any any any
    and last rule set for an client ip tcp/udp all free
    but the client cant connect to anything!!! :(
    what make i wrong?

    (have i to set all protocol for 192.168.10.25 - that this client can access?)



  • how you realized that no other can access but your network??????

    thanks for helping me!



  • 1.) Try use TCP not TCP/UDP on that kind ports like POP,SMTP,FTP,etc.
    2.) Allow thees ports on Firewall->Rules->LAN tab and remove them from WAN tab, for wan only set BLOCK rule for all ports and maybe later some other things like HTTPS management over your router.

    And maybe take a look on this page: http://doc.pfsense.org/index.php/Example_basic_configuration

    Best wishes, Janis!



  • Remember that rules are resolved top down.  So rules that are at the top will take priority over the ones at the bottom of the list.



  • cool this are very good news!!

    firewall rules:
    Top=Hiph priority
    buttom=low priority

    and this tutorial for outbound lan rules are very good, gives this for wan?

    have i only set for wan http, https????
    what is with imap and pop3, smtp ??? only in lan rules?!

    thanks for helping me and understanding pfsense ;)

    BIG THX



  • I can show how I do that, I actually don`t know if this is right, but I have like:

    In LAN -> ALLOW FROM LAN SUBNET TO Destination PORT -> HTTP, HTTPS, POP, SMTP, SSH, ftp and so on.
    In WAN -> ALLOW Management from wan (HTTPS) from specified IP and THEN BLOCK ALL rule. And I`m planing here put more rules for port forwarding.



  • alright….thats good!

    but why to set internet rules in lan interface?
    wan has access to internet....

    can you explain me?



  • 1.) When you don`t have any firewall rules under LAN interface, then all is blocked from LAN interface. Looks like no rules in LAN (then all is blocked in LAN).

    2.) Actually, I dont know. But I think its good to do it in LAN interface if you use multiple LAN interfaces. Example you have LAN1(192.168.1.1/24) and LAN2 (192.168.10.1/24) and you want allow mail (POP and SMTP) ports only on LAN2 interface.

    Dont take my serious, because, I just tested and discovered this all :) So im not a big expert on this :)

    Cheers, Janis!



  • The rules take a priority from the TOP to the bottom, so Block * WAN * will refuse any allows that appear after it to fix this, move your block statement to the very bottom of your list, and all will be fixed.

    Change your rules to look like this.

    TCP/UDP * * * 6666 *   OpenVPN 
    TCP/UDP * * * 3333 *   NAT Squid Port Forward 
    TCP/UDP * * * 110 *   Allow WAN POP 
    TCP/UDP * * * 995 *   Allow WAN POP SSL 
    TCP/UDP * * * 143     *   Allow WAN IMAP 
    TCP/UDP * * * 993  *   Allow WAN IMAP SSL 
    TCP/UDP * * * 25  *   Allow WAN SMTP 
    TCP/UDP * * * 465  *   Allow WAN SMTP SSL 
    TCP/UDP * * * 587 *   Allow WAN SMTP TLS 
    TCP/UDP * * * 21 *   Allow WAN FTP 
    UDP      * * * 123  *   Allow WAN NTP 
    ICMP    * * * * *   Allow Ping 
    TCP      * * * 4804 *   Allow BunkerTV Radio 
    TCP/UDP 192.168.10.25 * * * *   Allow Only Lafoffice01 
          * * * * * *   Block WAN ALL


Log in to reply